Email accounts usually include large amounts of sensitive information, including passwords for other accounts, financial information, contacts’ information, business exchanges, and so on. Consequently, they make a valuable target for hackers. This has resulted in an emergent market for “hack-for-hire services,” which provide targeted attacks for a rather small fee.

A recent project was set up to study how hack-for-hire services attack victims and how effective they are. This article is a summary of this project; there is also a longer paper [1]. The researchers discovered 27 email hacking services, purchased these services, and then used them for eight months. Next they asked the hack-for-hire services to break into a set of fictitious victims; that is, they created a type of honeypot, with “buyer” and “victim” personas, and a monitoring framework to observe the behavior of the attacks.

Although only five of the 27 hired services actually tried to break into the victim accounts, and only three were successful, the researchers were able to reach some valuable conclusions. Some of the attacks were quite sophisticated, bypassing SMS two-factor authentication (2FA), a common authentication protocol, via phishing.

The authors recommend the use of universal 2nd factor (U2F) security keys because they cannot be broken by phishing. While this market is not yet a significant threat, it might become more effective in the future; thus their recommendations can be considered a serious warning.

The article is clear and valuable for those interested in the modus operandi of Internet attacks.